FUN WITH LINUX

Full Disclosure: Remote-Command-Execution in PHKP

8 October 2018

Overview

  • System affected: PHKP
  • Software-Version: including commit 88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b
  • User-Interaction: Not required
  • Impact: Remote-Code-Execution
  • CVE: CVE-2018-1000885

Detailed Description

According to the project-page “PHKP is an implementation of the OpenPGP HTTP Keyserver Protocol (HKP) in PHP”. Due to unsanitized query parameters in the /pks/lookup-call any shell-command can be injected and executed remotely.

In line 106 of phkp.php the search-parameter “/pks/lookup&op=index” is assigned without any checks and in line 107 this variable will be used as a parameter of exec():

$search = $vars['search']; 
$pgp_result = pgp_exec("--list-public-keys --list-keys $search", $output); 

It is possible to inject any shell commands using the search-parameter:

curl http://localhost:8008/pks/lookup?op=index&search=js@example.com; id

In line 116 and 117 the same problem occurs again for the “/pks/lookup&op=get”-call. That means that the remote-code-execution occurs in two places.

Proof-Of-Concept

A ordinary lookup coud be the following:

Normal phkp-lookup

By injecting shell commands to the search-parameter, it is possible to execute any command:

phkp rce

Mitigation

Currently there is no fix for this bug. The author was informed on Jul 18 2018. A solution for this problem might be the escapeshellcmd()-function.

Credits

The remote-code-execution bug was discovered by Wolfgang Hotwagner(https://tech.feedyourhead.at/content/full-disclosure-remote-command-execution-in-phkp)

[ Programming  Sysadmin  Security  CVE  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti